summaryrefslogtreecommitdiffstats
path: root/tests/py/inet
Commit message (Collapse)AuthorAgeFilesLines
* tests/py: Add a test for failing ipsec after counterPhil Sutter2022-06-273-0/+29
| | | | | | | | | | | This is a bug in parser/scanner due to scoping: | Error: syntax error, unexpected string, expecting saddr or daddr | add rule ip ipsec-ip4 ipsec-forw counter ipsec out ip daddr 192.168.1.2 | ^^^^^ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add inet/vmap testsPablo Neira Ayuso2022-03-294-0/+222
| | | | | | | Add a few tests with concatenations including raw and integer type expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove redundant payload expressionsJeremy Sowden2022-01-153-21/+1
| | | | | | | | Now that we keep track of more payload dependencies, more redundant payloads are eliminated. Remove these from the Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip.t bridge payloadJeremy Sowden2022-01-151-1/+1
| | | | | | | | | | | | Correct the statement used to load the protocol in the bridge payload of one of the ip tests. A previous commit was supposed, in part, to do this, but the update got lost. Fixes: 4b8e51ea5fc8 ("tests: py: fix inet/ip.t payloads") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip_tcp.t testJeremy Sowden2022-01-152-2/+14
| | | | | | | | | | | | | | | | | | Contrary to the comment and expected output, nft does _not_ eliminate the redundant `ip protocol` expression from the second test. Dependency elimination requires a higher level expression. `ip saddr` cannot lead to the elimination of `ip protocol` since they are both L3 expressions. `tcp dport` cannot because although `ip saddr` and `ip protocol` both imply that the L3 protocol is `ip`, only protocol matches are stored as dependencies, so the redundancy is not apparent, and in fact, `payload_may_dependency_kill` explicitly checks for the combination of inet, bridge or netdev family, L4 expression and L3 ipv4 or ipv6 dependency and returns false. Correct the expected output and comment. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/ip.t payloadsJeremy Sowden2022-01-151-14/+0
| | | | | | | | | | In one of the bridge payloads, the wrong command is given to load the protocol. [ fw@strlen.de: remove the duplicated netdev payload ] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: fix inet/sets.t netdev payloadJeremy Sowden2022-01-151-3/+3
| | | | | | | | The netdev payload for one of the inet/sets.t tests was cut-and-pasted from the inet payload without being properly updated. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: reject: support ethernet as L2 protocol for inet tableJeremy Sowden2021-12-153-0/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we are evaluating a `reject` statement in the `inet` family, we may have `ether` and `ip` or `ip6` as the L2 and L3 protocols in the evaluation context: table inet filter { chain input { type filter hook input priority filter; ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject } } Since no `reject` option is given, nft attempts to infer one and fails: BUG: unsupported familynft: evaluate.c:2766:stmt_evaluate_reject_inet_family: Assertion `0' failed. Aborted The reason it fails is that the ethernet protocol numbers for IPv4 and IPv6 (`ETH_P_IP` and `ETH_P_IPV6`) do not match `NFPROTO_IPV4` and `NFPROTO_IPV6`. Add support for the ethernet protocol numbers. Replace the current `BUG("unsupported family")` error message with something more informative that tells the user to provide an explicit reject option. Add a Python test case. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001360 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Support netdev egress hookLukas Wunner2021-10-2815-14/+42
| | | | | | | | | Add userspace support for the netdev egress hook which is queued up for v5.16-rc1, complete with documentation and tests. Usage is identical to the ingress hook. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: incorrect meta protocol dependency killPablo Neira Ayuso2021-08-263-0/+76
| | | | | | | | meta protocol is meaningful in bridge, netdev and inet families, do not remove this. Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: skip flags / mask notation for singleton bitmask againPablo Neira Ayuso2021-08-153-0/+30
| | | | | | | != operation should also be covered too. Fixes: 347a4aa16e64 ("netlink_delinearize: skip flags / mask notation for singleton bitmask") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: check more flag match transformations to compact syntaxPablo Neira Ayuso2021-07-283-0/+193
| | | | | | Add a few more tests to extend coverage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: tcp flags & (fin | syn | rst | ack) == synPablo Neira Ayuso2021-07-283-0/+36
| | | | | | Add a test case to cover translation to tcp flags syn / fin,syn,rst,ack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: skip flags / mask notation for singleton bitmaskPablo Neira Ayuso2021-07-283-0/+31
| | | | | | | | Do not transform 'tcp flags & flag == flag' to 'flag / flag'. The parser does not accept this notation yet. Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: idempotent tcp flags & syn != 0 to tcp flag synPablo Neira Ayuso2021-07-273-0/+25
| | | | | | Add a test to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disallow negation with binary operationPablo Neira Ayuso2021-07-271-0/+1
| | | | | | | | | | | | | The negation was introduced to provide a simple shortcut. Extend e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") to disallow negation with binary operations too. # nft add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) ! syn' Error: cannot combine negation with binary expression add rule meh tcp_flags tcp flags & (fin | syn | rst | ack) ! syn ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: incorrect netlink bytecode with binary operation and flagsPablo Neira Ayuso2021-07-273-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft generates incorrect bytecode when combining flag datatype and binary operations: # nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn' ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] Note the double bitwise expression. The last two expressions are not correct either since it should match on the syn flag, ie. 0x2. After this patch, netlink bytecode generation looks correct: # nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn' ip [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 1b @ transport header + 13 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000002 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: missing != in flagcmp expression print functionPablo Neira Ayuso2021-07-273-0/+34
| | | | | | | Missing != when printing the expression. Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: missing json update for numeric reject with icmp numericPablo Neira Ayuso2021-07-271-0/+10
| | | | | | | Add missing tests to cover json support for reject with icmp numeric. Fixes: 1ab1fcbc19a8 ("parser_bison: parse number as reject icmp code") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update new reject with icmp code syntax leftoverPablo Neira Ayuso2021-07-271-2/+2
| | | | | | | I forgot to update a few more spots in the json files. Fixes: 08d2f0493671 ("src: promote 'reject with icmp CODE' syntax") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: promote 'reject with icmp CODE' syntaxPablo Neira Ayuso2021-07-263-65/+65
| | | | | | | | | | | | | | | | | | | | | | | The kernel already assumes that that ICMP type to reject a packet is destination-unreachable, hence the user specifies the *ICMP code*. Simplify the syntax to: ... reject with icmp port-unreachable this removes the 'type' keyword before the ICMP code to reject the packet with. IIRC, the original intention is to leave room for future extensions that allow to specify both the ICMP type and the ICMP code, this is however not possible with the current inconsistent syntax. Update manpages which also refer to ICMP type. Adjust tests/py to the new syntax. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: parse number as reject icmp codePablo Neira Ayuso2021-07-262-0/+5
| | | | | | | | | | | | Extend parser to accept a numeric icmp code, instead of bailing out: # nft add rule inet filter input reject with icmpx type 3 Error: syntax error, unexpected number, expecting string add rule inet filter input reject with icmpx type 3 ^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1555 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add dnat to port without defining destination addressPablo Neira Ayuso2021-07-223-0/+28
| | | | | | | Add a test to cover dnat to port without destination address. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: memleak in error path of the set to segtree conversionPablo Neira Ayuso2021-06-181-1/+1
| | | | | | | | | | | Release the array of intervals and the segtree in case of error, otherwise these structures and objects are never released: SUMMARY: AddressSanitizer: 2864 byte(s) leaked in 37 allocation(s). Moreover, improve existing a test coverage of this error path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove redundant test casesFlorian Westphal2021-06-0724-1788/+0
| | | | | | | | | | | | | Check for ... 23-42 ... ... { 23-42 } ... and remove the latter. Followup patch will translate the former to the latter during evaluation step to avoid the unneded anon set. A separate test case will be added that checks for such rewrites. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct: prefer normal cmpFlorian Westphal2021-06-073-12/+5
| | | | | | | | Followup patch will replace the { 1.2.3.4 } with single cmp, so this will cause an error when the netlink dump gets compared. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: fix parse of flagcmp expressionFlorian Westphal2021-06-021-0/+27
| | | | | | | | | | | | The json test case for the flagcmp notation ('tcp flags syn,fin / syn,fin') fails with: command: {"nftables": [{"add": {"rule": {"family": "ip", "table": "test-ip4", "chain": "input", "expr": [{"match": {"left": {"&": [{"payload": {"field": "flags", "protocol": "tcp"}}, ["fin", "syn"]]}, "op": "==", "right": ["fin", "syn"]}}]}}}]} internal:0:0-0: Error: List expression only allowed on RHS or in statement expression. internal:0:0-0: Error: Failed to parse RHS of binop expression. internal:0:0-0: Error: Invalid LHS of relational. internal:0:0-0: Error: Parsing expr array at index 0 failed. internal:0:0-0: Error: Parsing command array at index 0 failed. Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Implement SCTP Chunk matchingPhil Sutter2021-05-193-0/+670
| | | | | | | | Extend exthdr expression to support scanning through SCTP packet chunks and matching on fixed fields' values. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* parser_bison: add shortcut syntax for matching flags without binary operationsPablo Neira Ayuso2021-05-162-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following shortcut syntax: expression flags / flags instead of: expression and flags == flags For example: tcp flags syn,ack / syn,ack,fin,rst ^^^^^^^ ^^^^^^^^^^^^^^^ value mask instead of: tcp flags and (syn|ack|fin|rst) == syn|ack The second list of comma-separated flags represents the mask which are examined and the first list of comma-separated flags must be set. You can also use the != operator with this syntax: tcp flags != fin,rst / syn,ack,fin,rst This shortcut is based on the prefix notation, but it is also similar to the iptables tcp matching syntax. This patch introduces the flagcmp expression to print the tcp flags in this new notation. The delinearize path transforms the binary expression to this new flagcmp expression whenever possible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing relational operation on flag listPablo Neira Ayuso2021-05-023-0/+27
| | | | | | | | | | | | | | | Complete e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") which was missing comma-separated list of flags. This patch provides a shortcut for: tcp flags and fin,rst == 0 which allows to check for the packet whose fin and rst bits are unset: # nft add rule x y tcp flags not fin,rst counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: Set NFTNL_SET_DATA_TYPE before dumping set elementsPhil Sutter2021-03-092-4/+4
| | | | | | | | In combination with libnftnl's commit "set_elem: Fix printing of verdict map elements", This adds the vmap target to netlink dumps. Adjust dumps in tests/py accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Adjust payloads for fixed nat statement dumpsPhil Sutter2021-03-092-9/+9
| | | | | | Libnftnl no longer dumps unused regs, so drop those. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add a test sanitizer and fix its findingsPhil Sutter2021-02-0411-212/+24
| | | | | | | | | | | | | | | | This is just basic housekeeping: - Remove duplicate tests in any of the *.t files - Remove explicit output if equal to command itself in *.t files - Remove duplicate payload records in any of the *.t.payload* files - Remove stale payload records (for which no commands exist in the respective *.t file - Remove duplicate/stale entries in any of the *.t.json files In some cases, tests were added instead of removing a stale payload record if it fit nicely into the sequence of tests. Signed-off-by: Phil Sutter <phil@nwl.cc>
* json: Do not abbreviate reject statement objectPhil Sutter2021-02-031-6/+9
| | | | | | | | | No need to reduce output size, also this way output is more predictable. While being at it, drop some pointless chunks from tests/py/bridge/reject.t.json.output. Signed-off-by: Phil Sutter <phil@nwl.cc>
* reject: Unify inet, netdev and bridge delinearizationPhil Sutter2021-01-272-196/+32
| | | | | | | | | | | | | | Postprocessing for inet family did not attempt to kill any existing payload dependency, although it is perfectly fine to do so. The mere culprit is to not abbreviate default code rejects as that would drop needed protocol info as a side-effect. Since postprocessing is then almost identical to that of bridge and netdev families, merge them. While being at it, extend tests/py/netdev/reject.t by a few more tests taken from inet/reject.t so this covers icmpx rejects as well. Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: Fix for changed concatenated ranges outputPhil Sutter2020-12-153-3/+3
| | | | | | | Payload didn't change but libnftnl was fixed to print the key_end data reg of concat-range elements, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-166-13/+13
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove duplicate payloads.Jeremy Sowden2020-11-094-221/+0
| | | | | | | | | nft-test.py only needs one payload per rule, but a number of rules have duplicates, typically one per address family, so just keep the last payload for rules listed more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: avoid warning and add missing json test casesFlorian Westphal2020-11-052-2/+57
| | | | | | make dnat.t pass in json mode. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: json: add missing test case outputFlorian Westphal2020-11-051-0/+74
| | | | | | | | | | | | Fix warnings and errors when running nf-test.py -j due to missing json test case updates. This also makes bridge/reject.t pass in json mode. No code changes. Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q") Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t") Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add missing test JSON output for TCP flag tests.Jeremy Sowden2020-10-122-0/+186
| | | | | | Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: context tracking for multiple transport protocolsPablo Neira Ayuso2020-09-152-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch extends the protocol context infrastructure to track multiple transport protocols when they are specified from sets. This removes errors like: "transport protocol mapping is only valid after transport protocol match" when invoking: # nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80 This patch also catches conflicts like: # nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ and: # nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ Note that: - the singleton protocol context tracker is left in place until the existing users are updated to use this new multiprotocol tracker. Moving forward, it would be good to consolidate things around this new multiprotocol context tracker infrastructure. - link and network layers are not updated to use this infrastructure yet. The code that deals with vlan conflicts relies on forcing protocol context updates to the singleton protocol base. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: added "socket wildcard" testcasesBalazs Scheidler2020-08-293-0/+62
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: unbreak listing with binopsPablo Neira Ayuso2020-08-202-0/+23
| | | | | | | | | | | | | tcp flags == {syn, syn|ack} tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack} results in: BUG: Unknown expression binop nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed. Aborted (core dumped) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.tStefano Brivio2020-05-284-1/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 64b9aa3803dd ("tests/py: Add tests involving concatenated ranges") introduced a rule, commented out, adding an anonymous set including concatenated ranges. Now that they are properly handled, we can enable it. Note that this introduces a new warning. In the output below, '\' marks newlines I introduced to keep lines short: inet/sets.t: WARNING: line 24: \ 'add rule inet test-inet input ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept': \ 'ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept' \ mismatches 'meta nfproto ipv4 ip daddr . tcp dport \ { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443} accept' which is similar to the existing warning, also introduced by commit 64b9aa3803dd: inet/sets.t: WARNING: line 23: \ 'add rule inet test-inet input \ ip saddr . ip daddr . tcp dport @set3 accept': \ 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches \ 'meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept' This is mentioned in the commit message for 64b9aa3803dd itself: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. which means that for family inet, 'meta nfproto ipv4' is added to the output of the rule, on top of what was passed as input, but not for families bridge and netdev. For this reason, it's not possible in this case to specify a single expected output, differing from the input, and, also, 'meta nfproto ipv4' can only be passed as input for family inet as it's not relevant for the other families. As an alternative, we could split the rules from this test into tests for the corresponding families, as this test case itself is under the 'inet' directory, but I consider this beyond the scope of this patchset. v2: Enable rule in py/inet/sets.t instead of adding a new test in shell/sets (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tests: py: remove range test with service namesPablo Neira Ayuso2020-04-281-1/+0
| | | | | | | Service names printing are not default these days, using service names with ranges is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: broken error reporting with mappingsPablo Neira Ayuso2020-04-111-0/+2
| | | | | | | | | | | | | Segfault on error reporting when intervals overlap. ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop } Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 Fixes: 4d6ad0f310d6 ("segtree: check for overlapping elements at insertion") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update nat expressions payload to include proto flagsPablo Neira Ayuso2020-03-201-2/+2
| | | | | | | Update tests according to 6c84577b0d23 ("evaluate: add range specified flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Move tcpopt.t to any/ directoryPhil Sutter2020-03-104-719/+0
| | | | | | | Merge tcpopt.t files in ip, ip6 and inet into a common one, they were just marignally different. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add tests involving concatenated rangesPhil Sutter2020-03-105-0/+77
| | | | | | | | | | | | | | | Very basic testing, just a set definition, a rule which references it and another one with an anonymous set. Sadly this is already enough to expose some pending issues: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. * Anonymous sets don't accept concatenated ranges yet, so the second rule is manually disabled for now. Signed-off-by: Phil Sutter <phil@nwl.cc>